Stopping EMOTET & TRICKBOT malware

Hi,

in my opinion it is very important that you activate "Redirect botnet C&C requests to Block Portal" in DNS filters (and use it in your policies), additionally SSL-deep-inspection is a must-have. But it is not only a firewall-thing to stop Emotet. As the trojan comes with documents (XLSx, DOCx for example), you also have to watch you "Office-Settings". E.g. do not activate macros automatically. Or even block Emails with macro-documents in the attachment.

If you are in a corporate environment, you have to continuously inform your users too.

We  had 4-5 times were a user activated the macro (by clicking on activate content). The fortigate then blocks the connection attempt to the "hackers" server (Botnet) and was not able to download additional "bad things". So we had a lot of luck  to have a Fortigate-unit.

Just my 2 cents!

Well I think the only suitable way to prevent you from those is to forbid a bunch of extensions for mail attachements. They all come with compromitted documents or similar.

We here have forbidden a load of those file formats in email extensions and since then (about 2yrs) we didn't have not a single Infection with those.

False positive do occur of course but in this case the user has to inform us and we check that mail and if we approve that is a false positive and has no infection we permit the mail to go to the user.

We do that directly on our external mailserver.

This is the main main entrance for all the scare- and ransomware stuff! Probavly you could also handle that with the FortiGate's Mailfilter.